17.4

KNOWN LIMITATIONS

Effective August 2025, the following temporary limitations apply in version 17.4 and later:

All agent upgrades must be performed manually.
Refer to Performing a Manual Agent Update for further information.
Multi-tenant cross-origin site iframes on the master site
E-alert

The limitations will be remediated in a future patch.

New Features

Access Control for Tenant Management

Previously, the Administrator role token for the General access type applied broad permissions that included implicit access to the Tenant Management module. The new Tenant Management role token introduces granular access control for tenant-related features. Users on a master vSOC instance with the Tenant Management token enabled will see the Tenant Management module unhidden in the Configuration page and will be able to execute all tenant-related commands.

Entra ID SAML Authentication and Role Mapping

The new Entra ID (Azure AD) authentication type enables certificate-based SSO, with RBAC enforced in D3 based on user roles configured in Microsoft Entra ID.

How It Works

During authentication, Microsoft Entra ID issues a SAML assertion containing user claims, which D3 receives and processes. Among these claims, a role claim (configured with the user.assignedroles source attribute) is required. Its name URI must be specified in the Claim Name field in D3.

User roles obtained via the role claim are matched against preconfigured D3 Role Attribute Mapping records to assign the corresponding D3 role at login.

If multiple matches are found, the D3 role from the record with the lowest Priority value is applied. If no match exists, login is denied.

New Configuration Key: Restrict d3key and d3jwt in URL Parameters

Key Set to **False** (default): Allows passing d3key and d3jwt in URL parameters.

Key Set to **True**: Blocks d3key and d3jwt in URL parameters; requires credentials in HTTP headers.

A new configuration key controls whether users can pass d3key and d3jwt in URL parameters for API requests. When enabled (True), credentials must be included in HTTP headers; attempts to use URL-based authentication return a 403 Forbidden error. By default, the key is set to False to preserve compatibility with existing workflows.

To set this key to True, contact D3 support.

New Reporting Dashboard Widget: Summary

A new Summary widget is now available in the Reporting Dashboard. This widget allows users to select and display specific incident, event, or artifact fields, providing a high-level overview tailored to their needs.

View Details

Creating a New Summary Widget

Click the + New button under Reporting Dashboard > Widgets.
Select a data source.
The Summary widget is supported for all data sources.
Choose a site and date range for the data query, then click the Run Query button.
Click the Next Step: Configure Widget button, then select the Summary widget type.
Once on the Summary widget configuration page, users can:
1. Add tags to improve the widget’s searchability on the Edit Dashboard page
2. Select specific fields and sub-fields to display a high-level overview of relevant data.

READER NOTE

Fields and sub-fields vary based on the selected data source. For a complete list, refer to Fields Appendix.

RESULT

A fully configured Summary widget may look like the following:

Finding the Newly Configured Summary Widget

After configuration, the widget appears under the Summary Widgets category on the dashboard creation page.

If there are tags associated with this widget, users can search for it by selecting the defined tags from the Tags: All dropdown.

READER NOTE

On the Reporting Dashboard, this widget is displayed as follows:

Fields Appendix

Incident Data Source: All Available Fields

Key Fields
- Site
- Incident Type
- Status
- Severity
- Owner
- Create Time
- Last Modified Time
Description
Conclusion
Linked Incident
- Incident Type
- Title
- Severity
- Status
- Owner
- Date Created
- Date Closed
Linked Event
- Event Investigator
- Event Type
- Risk Level
- Status
- Description
- Site
- Data Source
- Ingested Time
Note
Incident Form

Event Data Source: All Available Fields

Key Fields
- Risk Level
- Event Source
- Event Status
- Event Type
- Tactic
- Technique
- Event Ingestion Type
- Event Occurred UTC Time
- Event Ingested UTC Time
Custom Fields

Artifact Data Source: All Available Fields

Key Fields
- Artifact Name
- Artifact Type
- Risk Level
- Tactic
- Technique
- Event Count
- Incident Count
- First Seen
- Last Seen
Last 10 Reputation
Last 10 Related Events
Last 10 Related Incidents

Enhancements

General Enhancements

Controlled Site-Sharing for Users in Tenant vSOC Instances

Previously, executing the Create Tenant Site utility command resulted in all tenant vSOC instance users receiving unintended visibility into all master vSOC sites. Now, a new Select Sites interface in Tenant Management > Shared Content > Users / Groups / Roles enforces site-level access isolation. Within this interface, site selections are isolated per user and do not affect other users in the same or different tenant vSOC instances. Running the utility command now only makes additional sites available for selection in the Select Sites interface–no sharing occurs until the administrator clicks the lab1.d3securityonline.net_d3_staging_n8_p1_VSOC_Playbooks_D3Playbook (2) 1 (1)-20250730-215314.png button.

Improved Table Readability in Incident Workspace Widgets

Content within HTML tables in Incident Workspace widgets now wraps by default when collapsed, eliminating the need for horizontal scroll bars. This enhancement improves readability for large or multiline values displayed in table cells.

Utility Commands

New Commands

The following utility commands have been added to this release of D3 SOAR.

Commands	Functionality
Extract Event Artifact	Retrieves all artifacts linked to a specified Event ID.

Integrations

New Integrations

The following integrations have been added to this release of D3 SOAR.

Integration Name	Description
Corelight	Corelight is a cybersecurity company that provides network detection and response (NDR) solutions based on the open-source Zeek (formerly Bro) network monitoring framework. Corelight transforms network traffic into rich logs, extracted files, and security insights, making it easier for SOC analysts, threat hunters, and incident responders to detect and investigate threats.
CyberArk Privileged Access Manager	CyberArk's Privileged Access Manager (PAM) solution allows organizations to manage, control and monitor activities across all types of privileged identities.
Cyderes	Cyderes positions itself as an MSSP that combines people, process, and platform—powered by AI and expert operations—to provide proactive cybersecurity, strong identity management, and rapid incident response capabilities.
ExtraHop RevealX 360	RevealX 360 is a SaaS NDR platform that captures real-time, agentless wire data via lightweight sensors and delivers unified visibility, behavioral analysis, and threat detection across on-premises, hybrid, and multicloud environments.
iBoss	iBoss is a cloud-based cybersecurity platform that provides secure web gateway services, helping organizations protect users from internet threats by controlling and monitoring web traffic. It supports advanced web filtering, threat protection, and data loss prevention across distributed networks.
Kaseya's DarkWebID	Kaseya DarkWebID is a dark‑web monitoring and threat intelligence platform designed to help organizations detect if their domains, email addresses, passwords, or other sensitive data have been exposed or compromised online.
Silent Push	Silent Push is a cybersecurity platform that provides Threat Intelligence (TI) and threat detection and response services. It is designed to proactively identify and analyze malicious infrastructure, phishing campaigns, malware distribution, and suspicious domains.

Updated Integrations

The following integrations have been updated in this release of D3 SOAR.

Integration Name	Changes
AWS Security Hub	New Commands Batch Update Findings
ChatGPT	Connection Changed the API Version parameter from required to optional.
CrowdStrike	New Commands Run Batch Get
Delinea Secret Server (Thycotic Secret Server)	Name Renamed Thycotic Secret Server to Delinea Secret Server. New Commands Fetch Secret by ID
Manage Engine ServiceDesk Plus	Connection Refined the connection logic to support connectivity with all data centers.
Office 365	Enhanced Commands Search and Move or Copy Email Messages: Renamed from Search and Move Email Messages to reflect its updated functionality. The command now includes the ability to copy email messages. A new input parameter, Move or Copy, lets users select the desired operation.
Recorded Future-SecurityTrails	New Commands Apply Tags to Asset Create Tag Find Assets Get Asset Details Get Exposure Assets Get Tags List Asset Exposures List Exposures List Projects Remove Tags From Asset
SentinelOne	New Commands Get Threat Notes Update Threat Note
TAXII 2 Threat Feed	Connection Added the Client Certificate authentication type. New Commands Fetch Event (replaced the old Fetch Event command) Deprecated Commands Fetch Event (replaced by the new Fetch Event command)
Trend Vision One v3.0	New Commands Collect Files Disable User Accounts Enable User Accounts Force Sign Out List Custom Scripts List Response Tasks Reset Passwords Scan for Malware Submit Files to Sandbox Terminate Processes Upload Custom Scripts

Deprecated Integrations

Integration Name

Replacement

CrowdStrike Falcon (Deprecated)

CrowdStrike: The new Run Batch Get command consolidates and improves on the functionality of the following CrowdStrike Falcon command:

Run Batch Get